Privacy Policy - 5CA Careers

Last amendment: 8 August 2023

1. Privacy Mission and Vision

Our Mission: Enable 5CA to navigate a dynamic future in privacy through transparent, ethical, and innovative uses
of personal data. 5CA Privacy Team is a division of the 5CA Legal and Compliance department. We strive to be a valued
partner and advisor to 5CA community by providing guidance and training on privacy laws, policies, and best practices.

Long Term Goals:

Promulgate privacy by design,
Build trust as a data steward,
Manage privacy risk proactively and pragmatically,
Advocate for the innovative and ethical use of data,
Be a recognized leader in data privacy.

2. Who are we? Introduction

This Privacy Policy applies to anyone who applies for employment, a role or who otherwise seeks to carry out work for
5CA, whether permanent or temporary and includes freelancers, interns, contractors (“Candidate“); those who
provide
feedback about Candidates (“Reference Contacts“); and anyone who visits this Website (“Website Visitor”)
jointly
referred to as “you”, “your”, “yours”.

Your Data Controller under this Privacy Policy is 5CA B.V., and Cocoroco B.V., both located at Stationsstraat 154, 3511
EK Utrecht and its affiliates and entities that in the later stage of the recruitment, enter into a contractual
relationship with you (“5CA”, “5CA Group” “we”, “us”, “our”). In this regard, further internal policies and
notices will
be shared with Candidates and will apply as per the stage of recruitment and the role at 5CA.

“Personal data” means any information relating to an identified or identifiable natural person. For example, we
may
collect your first, last name and email address which is your personal data as a Candidate.

This also means that from the moment of the collection of your personal data, you are a “Data subject” in the
meaning of
Privacy Law that applies to you.

5CA places foremost importance on any operation or set of operations performed on
personal data or on sets of personal data, whether by automated means. This is, for example, the collection, use,
recording, disclosure, maintenance, organisation, storage, and deletion of your personal data (“Processing“).

Your personal data under this Privacy Policy is processed under General Data Protection Regulation (“GDPR“) and
other data
protection and privacy legislation that applies depending on which country or region you apply, contact us, or visit our
website (“Privacy law“).

5CA processes your personal data per general privacy principles of lawfulness, fairness,
transparency, purpose limitation, data minimisation, accuracy, storage limitation, integrity and confidentiality, and
accountability that arise from the GDPR and similar privacy principles that come from the applicable Privacy law.

3. Which personal data do we collect and why?

We will process personal data for the purposes as stated below:

Data subject	Personal data	Purpose	Legal ground
Website visitor	Website Browsing and Device Information including IP address, browser type, device type, browsing time, hashed email address (collected via application form if you accept advertisement and targeting cookies), your use of this Website, and other clickstream data as per cookie.	Depending used Cookies: Providing certain features of the Website, Understanding and saving user’s preferences for future visits, Advertising on other sites, Compiling and aggregating data about site traffic and site interaction so that we can offer better website experiences and tools in the future, Statistical analysis and market research. You can freely customize your data per use/purpose via our Cookie settings by clicking the cookie icon or cookie settings. To know more about these purposes, see our Cookie policy.	Consent
Candidate	Contact and Personal Identification information including full name, email address, phone number, physical address, country of residence, city of residence, username, date of birth, LinkedIn profile link if provided, Recruitment information including office location, job title, preferable working time, job application details, salary wage expectation including currency, start date, time zone, information about gaming, recruiter’s internal notes, Education and Skills Information including Academic Transcripts, CV, Cover Letter, education and training history, present and past experience data, educational degrees, grade, previous experience, soft skills, Device and Diagnostic Data: including OS Information, equipment details, Internet speed, equipment details and power/internet/home-office conditions.	Recruiting new Colleagues, Forwarding recruitment information to the potential managers, Interviewing, Determining the new candidate to be recruited and making job offers, If accepted, forwarding necessary information to proceed with the onboarding process.	Performance of a contract and consent if you voluntarily provide sensitive personal data.
Candidate	Contact information including first and last name, email address, Reference or Background Checks data about candidate’s activities per requirements for a certain position.	Performing background checks, if necessary, Analysing the results of such checks.	Legitimate Interest or if necessary for a legal obligation.
Reference Contacts	Contact Information including full name, email address.	Voluntarily contacting us and referring Candidates, Being voluntarily mentioned by Candidates to be contacted by us, Receiving feedback about Candidates	Consent
Candidate	Contact information including first and last name, email address, Education and Skills Information (e.g., education language level, language score, photograph taken during the test to make sure the correct person takes the test, test date, skills test information, audio-recording per language speaking test)	Performing eligibility assessments, Assessing the qualifications, evaluating new candidates, Confirming how well the Candidate corresponds to the position, Reviewing eligible candidates in line with the company’s necessities, Assessing language proficiency and skills.	Legitimate interest and consent (if sensitive personal data collected).
Candidate	Contact information including first and last name, email address.	Sending company-related communications (newsletter), surveys and online forms about 5CA’s recruitment-related and general activities.	Consent
Candidate	Documents and additional personal data requested such as about nationality.	Performing eligibility assessments, Proceeding with the onboarding process.	Performance of a contract and if necessary for a legal obligation.

4. Legal basis

Contractual obligation

We may process your personal data as stated above to perform necessary precontractual activities to sign the contract
between Candidate and 5CA. In such a case, we must process Candidate’s personal data to fulfill the contract (Art.
6(1)(b) GDPR). If the opposite is the case, it will not be possible for you and us to perform the necessary
precontractual activities to hire you.

Legitimate interest

Based on Article 6(1)(f) of the GDPR, we may process your personal data for the legitimate interests of 5CA which are
the background checks (excluding the background checks needed by local laws applicable to Candidate) and the necessary
assessments of your eligibility per Candidate’s position.

Failure to process this data constitutes the impossibility to proceed with your application. You have the
right to object under Article 21 of the GDPR.

Consent

Based on Article 6(1)(a) of the GDPR, we may process your personal data based on prior, freely given, informed,
unambiguous and specific consent. You are free to provide your consent and have the right to withdraw it at any time.

Right to withdraw consent

You can withdraw your consent at any time by sending a request to privacy@5ca.com. If you change your decision, it will
not affect the lawfulness of processing your personal data based on consent before its withdrawal. This means we will
not further process your personal data from the moment of withdrawal, but the processing activities performed beforehand
will still be legitimate.

Necessary for a legal obligation

To comply with our legal obligations, 5CA may process your personal data for such purposes particular, in case your
personal data are subject to a conflict to which we are a party, we might need to process and disclose your personal
data to authorities and persons we require to use our right to defence such as attorneys, experts and courts. We may
process your personal data to fulfil these legal liabilities and to use our right to defence. We also use this legal
ground to process your personal data at the end of the application process where additional details and documents are
needed to start and proceed with the onboarding process.

5. Reference Contact

If Candidate provides Reference Contacts’ personal data to us, Candidate hereby accepts and guarantees that they
disclose the data of the reference contact in a CV or similar resources with 5CA pursuant to the knowledge and consent
of the relevant Reference Contact, and all responsibility will belong to Candidate if the Reference Contact requests and
claims otherwise.

6. Retention Periods

5CA gives utmost importance on not keeping your personal data longer than necessary. To ensure that personal data is
kept for no longer than necessary, we apply retention periods concerning the category, sensitivity and the purpose of
personal data processed. This also depends on the stage of your recruitment, in particular, when you are rejected or
accepted, consent you have given to 5CA, as well as 5CA’s legitimate interests and legal obligations of local affiliates
and subsidiaries. When you accept the job offer, the retention periods will correspond to the contract you will sign,
and the privacy policy or notice related to such contract and personal data provided to onboard you.

Where technically possible we set automated retention periods so after a reasonable period your personal data will be
anonymized or deleted. The established retention periods are reviewed and updated regularly.

7. Sharing personal data with third parties

Personal data of Candidates is provided to parties that assist 5CA in the recruitment process and to 5CA affiliates and
subsidiaries for which Candidate will perform future’s contractual activities. The parties that assist 5CA in the
recruitment process are the Recruitment Management Platform vendor used to centrally manage your application process and
the parties that assist in performing eligibility, language, skills assessments, and other types of necessary checks per
certain role. When Candidate or Reference Contact contacts us via recruitment platforms such as LinkedIn or email, the
providers of those platforms will process personal data as per activities via the registered account on such platforms.
Data of Website

Visitors (if it constitutes personal data) is hosted by our website hosting provider and processed as per
Section 10. All the above-mentioned parties use their own systems and vendors to support performing the service for the
purposes listed above.

8. Data transfers, storage, and processing globally

Most of the parties provided in Section 6 are located in the European Economic Area (“EEA“), in particular – in
the Netherlands and some may be located outside of the European Economic Area, for example, in United States, United
Kingdom, Argentina, Uruguay, Hong Kong, South Africa, Ukraine, Philippines, Turkey. This will also depend on which of
our affiliate or subsidiary you apply to. Where your personal data is stored outside the EEA, and when such a country
does not have any binding adequacy decisions from the European Commission (such decisions guarantee your data is safely
sent outside EEA), we will ensure an appropriate level of protection for the data transferred by providing adequate
contractual (such as Standard Contractual Clauses), organizational and technical safeguards (jointly referred to as
“adequate safeguards“). We also require vendors to act appropriately to protect the confidentiality and security
of personal data, especially for your personal data processed outside EEA. You can ask for a copy of such adequate
safeguards via privacy@5ca.com

9. How do we protect your information?

We have implemented commercially reasonable technical, organizational and security measures designed to protect your
personal data. Ensuring the security of your personal data is particularly important to us, which is why we have taken
different technical and organizational measures to ensure this. In particular:

We use regular prevention, detection, and response systems to scan and mitigate potential vulnerabilities and reduce
security risks,

Your personal data is contained behind secured networks and is only accessible by a limited number of your
recruiters, hiring managers, maintenance, and security teams on a need-to-know basis and who are required to keep
the information confidential as per Zero Trust approach. In addition, the information is encrypted with Secure
Socket Layer (SSL) technology,

We implement a variety of security measures when you enter, submit, or access your information to maintain the
safety of your personal data.

As the security of information depends in part on the security of the computer, device, or network you use to
communicate with us and the security you use to protect your user IDs and passwords, please make sure to respond
appropriately to protect the information you send us as well.

10. Which cookies do we use?

Cookies and similar tracking technologies, such as beacons, scripts, web beacons and tags (which together we refer to as
“cookies”), are small bits of text, usually stored on a user’s computer hard drive or within a browser. They enable this
Website and/or other websites which can recognise a cookie to remember information about the user’s visit to that
website.

Cookies are used to make the Website work, or work more efficiently, and to provide information to the Website’s owners.

Such information may be used to provide a more personalized and responsive service. Cookies may be either first-party
cookies set directly by us to your device, or third-party cookies set by a third-party provider on our behalf. When you
use this Website, information may be collected through cookies and other technologies.

For more information regarding the cookies that we use please visit our Cookie policy.

11. Your privacy rights

If you believe that your data protection rights may have been breached, you have the right to lodge a complaint with
the applicable supervisory authority or to seek a remedy through the courts,

You have the right to object to profiling (if such is part of our activities),

You have the right to object, to or to request restriction, of the processing,

You have the right to request that we rectify any personal data.

You also have a right to request certain details of the basis on which your personal data is transferred outside the
European Economic Area and adequate safeguards we use for these data transfers,

You have the right to data portability as to request that some of your personal data is provided to you, or another
data controller, in a commonly used, machine-readable format,

You have the right to request the erasure of your personal data when such personal data is no longer necessary for
the purposes for which it was collected, or when, among other things, your personal data has been unlawfully
processed. However, please keep in mind that we may not delete all your personal data as we may still need to keep
it for our legitimate purposes such as establishment, exercise and defence of legal claims,

You have a right to access personal data held as to request a copy of the personal data that we hold about you.
There are exceptions to this right, so that access may be denied if, for example, it does infringe upon the rights
and freedom of others or if we are legally prevented from disclosing such information,

You have the right to withdraw your consent: If you have provided your consent to the collection, processing, and
transfer of your personal data, you have the right to withdraw your consent fully or partly. Once we have received
notification that you have withdrawn your consent, we will no longer process your information for the purpose(s) to
which you originally consented. This means we will not further process your personal data from the moment of
withdrawal, but the processing activities performed beforehand will still be legitimate.

You can exercise your rights by submitting a request to privacy@5ca.com

Subject to legal and other permissible considerations, we will make every reasonable effort to honour your request
promptly in accordance with applicable law or inform you if we require further information to fulfil your request. When
processing your request, we may ask you for additional information to confirm or verify your identity and for security
purposes before processing and/or honouring your request. We reserve the right to charge a fee where permitted by law,
for instance, if your request is manifestly unfounded or excessive. In the event that your request would adversely
affect the rights and freedoms of others (for example, would impact the duty of confidentiality we owe to others) or if
we are legally entitled to deal with your request in a different way than initially requested, we will address your
request to the maximum extent possible, all in accordance with applicable law.

12. Changes to the Privacy Policy

5CA may make changes to this Privacy Policy. 5CA, therefore, recommends that you regularly check for updates to the
privacy statement. You can track the changes by checking the data on the top of this page.

13. Contact information

You are welcome to contact the Privacy Team (privacy@5ca.com) for any questions, comments, and requests regarding
this Internal Privacy Policy or if you have any other requests or questions about your personal data and its processing
by 5CA.